Methods, systems, and media for producing a firewall rule set are provided herein. Exemplary methods may include: receiving metadata about a deployed container from a container orchestration layer; determining an application or service associated with the container from the received metadata; retrieving at least one model using the determined application or service, the at least one model identifying expected network communications behavior of the container; and generating a high-level declarative security policy associated with the container using the at least one model, the high-level declarative security policy indicating at least an application or service with which the container can communicate.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A method for security in a container-based virtualization environment comprising: receiving metadata about a deployed container from a container orchestration layer, the metadata including an image type of the deployed container, the deployed container being deployed in a hardware server; determining an application or service performed by the deployed container from the received metadata; retrieving at least one model using the determined application or service, the at least one model identifying expected network communications behavior of the deployed container; generating a high-level declarative security policy associated with the deployed container using the at least one model, the high-level declarative security policy indicating at least an application or service with which the deployed container communicates; and launching a compiler, the compiler producing a low-level firewall rule set using the high-level declarative security policy, the low-level firewall rule set being provided to an enforcement point, the enforcement point applying the low-level firewall rule set to data network traffic.
2. The method of claim 1 , in which the metadata is received from the container orchestration layer using at least an application programming interface (API).
3. The method of claim 1 , in which: the metadata further includes at least one of an image name, service name, ports, and other tags and/or labels associated with the deployed container; and the at least one of the image name, service name, ports, and other tags and/or labels is associated with the determined application or service.
4. The method of claim 1 , in which the determining the application or service includes: identifying the determined application or service using the image type.
5. The method of claim 1 , in which the deployed container is at least one of: a Docker container and a Rocket (rkt) container.
6. The method of claim 5 , in which the container orchestration layer is at least one of: Docker Swarm, Kubernetes, Diego, and Mesos.
7. The method of claim 1 , in which the determined application or service is at least one of: a database, email server, message queue, web server, Session Initiation Protocol (SIP) server, file server, object-based storage, naming system, storage networking, and directory.
8. The method of claim 1 further comprising: determining a potential violation of the high-level declarative security policy using the low-level firewall rule set; and performing at least one of: sending an alert, dropping communications associated with the potential violation, and forwarding communications associated with the potential violation.
9. A system for security in a container-based virtualization environment comprising: a hardware processor; and a memory coupled to the hardware processor, the memory storing instructions which are executable by the hardware processor to perform a method comprising: receiving metadata about a deployed container from a container orchestration layer, the metadata including an image type of the deployed container, the deployed container being deployed in a hardware server; determining an application or service performed by the deployed container from the received metadata; retrieving at least one model using the determined application or service, the at least one model identifying expected network communications behavior of the deployed container; generating a high-level declarative security policy associated with the deployed container using the at least one model, the high-level declarative security policy indicating at least an application or service with which the deployed container communicates; and launching a compiler, the compiler producing a low-level firewall rule set using the high-level declarative security policy, the low-level firewall rule set being provided to an enforcement point, the enforcement point applying the low-level firewall rule set to data network traffic.
10. The system of claim 9 , wherein the metadata is received from the container orchestration layer using at least an application programming interface (API).
11. The system of claim 9 , in which: the metadata further includes at least one of an image name, service name, ports, and other tags and/or labels associated with the deployed container; and the at least one of the image name, service name, ports, and other tags and/or labels is associated with the determined application or service.
12. The system of claim 9 , in which the determining the application or service includes: identifying the determined application or service using the image type.
13. The system of claim 9 , in which the deployed container is at least one of: a Docker container and a Rocket (rkt) container.
14. The system of claim 13 , in which the container orchestration layer is at least one of: Docker Swarm, Kubernetes, Diego, and Mesos.
15. The system of claim 9 , in which the determined application or service is at least one of: a database, email server, message queue, web server, Session Initiation Protocol (SIP) server, file server, object-based storage, naming system, storage networking, and directory.
16. The system of claim 9 , in which the method further comprises: determining a potential violation of the high-level declarative security policy using the low-level firewall rule set; and performing at least one of: sending an alert, dropping communications associated with the potential violation, and forwarding communications associated with the potential violation.
17. A non-transitory computer-readable storage medium having embodied thereon a program, the program being executable by a processor to perform a method for security in a container-based virtualization environment, the method comprising: receiving metadata about a deployed container from a container orchestration layer, the metadata including an image type of the deployed container, the deployed container being deployed in a hardware server; determining an application or service performed by the deployed container from the received metadata; retrieving at least one model using the determined application or service, the at least one model identifying expected network communications behavior of the deployed container; generating a high-level declarative security policy associated with the deployed container using the at least one model, the high-level declarative security policy indicating at least an application or service with which the deployed container communicates; and launching a compiler, the compiler producing a low-level firewall rule set using the high-level declarative security policy, the low-level firewall rule set being provided to an enforcement point, the enforcement point applying the low-level firewall rule set to data network traffic.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
March 24, 2016
December 13, 2016
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.